Preface
**In recent years, incidents such as network intrusions, information leaks, and network viruses have occurred frequently. The national level has successively promulgated a number of data security-related laws and regulations. As a key industry subject to strong national supervision, the financial industry has drafted and issued various related industry regulations with reference to upper-level laws and regulations. standards and specifications. In addition, considering that the infrastructure and information system of the author's company have been built for many years, some application systems, management platforms and equipment need to be updated and reorganized. In this case, it is of great significance to coordinate the company's network security planning and promote network security construction in a scientific and reasonable manner. ** In view of the fact that in addition to the leading institutions with maturity and technological innovation at the forefront of the industry, the network security construction of most financial institutions is at the same level as our company, so we will discuss this planning project of our company with all colleagues in the industry. .
1. Project implementation background
*(1) Cybersecurity supervision requirements are becoming increasingly strict*
In response to the objective reality and urgent needs of the domestic and foreign network security situation, the country has successively introduced a series of laws, regulations and regulatory requirements, such as the "Cybersecurity Law", "Cybersecurity Level Protection" series of standards (Classified Protection 2.0) and "Data Security Law" The "Regulations on the Security Protection of National Critical Information Infrastructure" and the "Personal Information Protection Law" have put forward more comprehensive and strict new requirements for the management of network security, data security and personal information security.
*(2) Reduce costs and increase efficiency to implement network security construction*
At present, the company's digital construction has entered the fast lane, through a series of projects such as private network transformation, cloud management platform construction, and enterprise service bus construction to open up the network, integrate resources, and interactively share. Therefore, under the background of all-round informatization construction and equal protection and compliance, it is urgent to implement simultaneous construction of network security through overall planning and intensive construction, improve network security management compliance, and avoid over-construction of network security and over-investment of resources. issues that need resolving.
2. Project construction content
*(1) Overall construction ideas*
At present, the company already has the most basic basic security management environment, has completed the division and construction of the intranet and the unification of Internet exports, and has also adopted an overall management approach to manage all network resources and server resources.
Figure 1 Overall construction idea framework
On this basis, we should continue to follow the principle of defense in depth for network security. First, through the classification and classification of data assets and the classification and classification of existing information systems, we should clarify the protection objects of network security and the subsequent protection efforts that need to be invested.
Later, in the overall security planning stage, it is necessary to sort out the statistics of existing data distribution, system analysis and network security resource coverage, and combine the classification and grading results of data and information systems with the identified network security technical risks and compliance risk, and provide the most reasonable network security planning solution.
The final planning idea is to target different levels of protection objects and the security risks they face, and invest in network security resources that meet the protection object levels in phases and in batches. While ensuring that important data and important systems receive the most comprehensive security protection at the moment, It also maximizes the use of the company's existing and future resources.
*(2) Planning project organizational structure*
The leader of the planning project leading group is the company’s network security leader, and the heads of each department serve as members of the project leading group.
The project manager of the planning project is the person in charge of the IT department, and the project members are network security professionals, security officers from each department, and third-party security service providers.
*(3) Implementation content of each stage*
*1* *.* *Data classification and classification (data compliance risk assessment)*
*1) Data asset sorting*
*Work content:*
- Convene a project kick-off meeting (system survey + data survey), notify the heads of each department to arrange and designate the person in charge of data asset sorting of their respective departments to participate in the subsequent asset sorting work;
- Provide training to the person in charge of data asset sorting in each department on the use of data asset reporting tools, and clarify the scope and type of data statistics and the reporting method of the current data life cycle management status;
- The project team collects and summarizes the statistical results of data assets of various departments, and returns and corrects the statistical results that do not meet the reporting requirements.
*Work meaning:*
- Complete the sorting out of existing data assets and complete the basic work of formulating grading and classification principles;
- Complete a preliminary survey of the current status of data lifecycle management.
*Output results:*
"Data Asset Sorting Table" "Data Life Cycle Management Current Status Statistical Table"
*2) Establishment of classification and grading principles*
*Work content:*
- Refer to the "JRT 0197-2020 Financial Data Security Data Security Classification Guidelines" and combine the company's existing data classification and classification principles to classify the data summarized by each department;
- Screen out the categories that are applicable to the current status of company data in the industry and group data classification and grading reference standards;
- Combined with the hierarchical and hierarchical protection requirements of industry-level protection, the classification and hierarchical principles are reclassified according to the existing data management environment.
*Work meaning:*
- Complete the classification and grading work by referring to best practices and combining with your own management status to provide a basis for subsequent system classification and grading;
- Preliminarily complete the analysis of resources required for data security protection at each level.
*Output results:*
"Data Classification and Grading Detailed Rules" and "Data Life Cycle Assessment Form"
*3) Data risk assessment*
*Work content:*
Refer to the "Data Security Law", "Personal Information Protection Law", "GB/T 35273-2017 Information Security Technology Personal Information Security Specification", "Financial Data Security Data Life Cycle Security Specification JRT0223-2021" and other regulatory and standard requirements, combined with the "Data Asset Sorting Table" and "Data Life Cycle Management Current Status Statistical Table" statistical results, and carry out risk assessment on each link of the data life cycle through interviews, surveys, technical inspections, etc.
*Work meaning:*
Identify the technical risks and compliance risks of existing data security as an important reference and input for the company's subsequent security management and overall planning.
*Output results:*
"Data Security Risk Assessment Report" "Data Security Risk Treatment Recommendations"
*2* *.* *Information system classification and classification (full coverage assessment of grade protection)*
*1) Survey on the current status of information systems*
*Work content:*
- Convene a project kick-off meeting (system research + data research) to inform the heads of each department to arrange and designate the information system sorting person in charge of their respective departments to cooperate with subsequent research work.
- Provide training to the person in charge of system sorting in each department with reference to the company's existing system classification and classification definitions;
- The project team collects and summarizes the system statistical results of each department, and returns and corrects the statistical results that do not meet the reporting requirements.
*Work meaning:*
- Conduct a preliminary review of the system with reference to the hierarchical management principles of hierarchical protection, which will serve as a reference for subsequent adjustments to the hierarchical classification principles of the system;
- Statistics on security resources invested in existing systems serve as an important input in the planning phase.
*Output results:*
"Information System Summary Table" (including business characteristics description, associated data and security resource investment statistics)
*2) The principle of system classification and classification is established*
*Work content:*
Based on the research results of the information system and combined with the industry level protection requirements, the company's internal system classification and grading rules are compiled.
*Work meaning:*
Develop guidance documents for the classification and filing of existing information systems and new systems in the future.
*Output results:*
"Information System Classification and Grading Detailed Rules"
*3) System rating filing guidance*
*Work content:*
Conduct centralized publicity and Q&A for various departments on the "Information System Classification and Grading Detailed Rules" and the grading and registration process.
*Work meaning:*
- Establish a basic environment to achieve full coverage of grading and registration filings;
- Establish basic workflow for system reporting;
- Avoid over-grading and over-construction of information systems.
*Output results:*
- Each department has the independent ability to classify and classify the system and register for equal protection and classification;
- Preliminarily completed the construction of the internal filing process of the system.
*3* *.* *Company network security overall planning (intensive construction, integration and utilization)*
*1) Security management resource analysis*
*Work content:*
Based on the statistical results of security resources during the data and system research phase, combined with the data and system classification and grading results, analyze the rationality of current resource allocation.
*Work meaning:*
As a reference for existing resource integration and future resource planning.
*Output results:*
"Safety Management Resource Analysis Report"
*2) Risk control needs analysis*
*Work content:*
Summarize the results of safety inspections, risk assessments, and grade guarantee evaluations in previous years, and combine them with the data risk assessment results to complete the analysis of risk control needs.
*Work meaning:*
As a reference for resource integration and planning, it clarifies the key investment direction of security resources.
*Output results:*
"Risk Control Requirements List"
*3* *) Suggestions on integrating network security management resources*
*Work content:*
Combining risk control requirements and the current status of security resource allocation, suggestions for integrating existing network security management resources are given, and rectification contents are prioritized.
*Work meaning:*
- Clarify the direction of integration of existing resources;
- Ensure the necessity and effectiveness of resource investment.
*Output results:*
"Recommendations for the Integration of Network Security Management Resources"
*4* *) Network security resource investment planning*
*Work content* :
- The project team plans safety resources for other risk items after the integration of existing resources and disposal, mainly involving personnel organization adjustments, process construction optimization, technical product additions, and reuse planning of original products after product additions;
- Comprehensively analyze the cybersecurity strategic direction of the industry and the group, and provide cybersecurity project topics suitable for the company's management status and development.
*Work meaning:*
- Clarify the direction of investment of additional resources within three to five years;
- Provide suggestions on the utilization of old resources within three to five years;
- Ensure the rationality of network security resource allocation within three to five years.
*Output results:*
"Network Security Overall Planning Report"
3. Project investment
According to the implementation plan formulated in the project plan, it is estimated that the project man-day total is 92 man-days. The specific implementation man-day estimation and implementation methods are as follows:
| *Implementation phase* | *Implementation content* | *Implementation* | *Estimate per person* |
|---|---|---|---|
| *Data classification classification* | Data asset sorting | Interview research | 10 |
| Establishment of classification and grading principles | Document writing and on-site reporting | 7 | |
| Data risk assessment | Interview research, technology evaluation | 14 | |
| *Information system classification classification* | Survey on the Current Situation of Information Systems | Interview research | 10 |
| The principles of system classification and classification are established | Document writing and on-site reporting | 7 | |
| System rating filing guidance | Document writing, on-site coaching | 5 | |
| *Overall Network Security Planning* | Security management resource analysis | Document writing and on-site reporting | 10 |
| Risk control needs analysis | Document writing and on-site reporting | 5 | |
| Suggestions for integrating existing resources | Document writing and on-site reporting | 10 | |
| Future resource investment planning | Document writing and on-site reporting | 14 | |
| *Total person days* | *92* |
4. Project implementation cycle and nodes
*(1) Project construction cycle*
Construction period: June 20XX - December 20XX
*(2) Key nodes in project implementation*
| *serial number* | *Project implementation progress* | *Start time* |
|---|---|---|
| 1 | Project begining | June 20XX |
| 2 | Data asset/information system sorting training | June 20XX |
| 3 | Data asset/information system sorting | June-July 20XX |
| 4 | Establishment of classification and grading principles | July-August 20XX |
| 5 | Data risk assessment | August-September 20XX |
| 6 | System rating filing guidance | September 20XX |
| 7 | Security management resources/risk control needs analysis | September-October 20XX |
| 8 | Resource integration suggestions/resource investment planning and preparation | October-November 20XX |
| 9 | Resource integration suggestions/resource investment planning review | November-December 20XX |
| 10 | Project Acceptance | December 20XX |
As long as you like my article today, my private network security learning materials will be shared with you for free. Come and see what is available.
Network security learning resource sharing:
Finally, I would like to share with you a complete set of network security learning materials that I have studied myself. I hope it will be helpful to friends who want to learn network security!
Getting Started with Zero Basics
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said to be the most scientific and systematic learning route. It will be no problem for everyone to follow this general direction.
1. Learning roadmap
There are a lot of things to learn about attack and defense. I have written down the specific things you need to learn in the road map above. If you can learn them all, you will have no problem taking on private work.
2. Video tutorial
Although there are many learning resources on the Internet, they are basically incomplete. This is an Internet security video tutorial I recorded myself. I have accompanying video explanations for every knowledge point in the roadmap above. [Click to get the video tutorial]
I also compiled the technical documents myself, including my experience and technical points in participating in large-scale network security operations, CTF, and digging SRC vulnerabilities. There are also more than 200 e-books [Click to receive technical documents ]
(They are all packaged into one piece and cannot be expanded one by one. There are more than 300 episodes in total)
3. Technical documents and e-books
I also compiled the technical documents myself, including my experience and technical points in participating in large-scale network security operations, CTF and digging SRC vulnerabilities. There are also more than 200 e-books [click to receive the book ]
4. Toolkit, interview questions and source code
"If you want to do your job well, you must first sharpen your tools." I have summarized dozens of the most popular hacking tools for everyone. The scope of coverage mainly focuses on information collection, Android hacking tools, automation tools, phishing, etc. Interested students should not miss it.
Finally, here are the interview questions about network security that I have compiled over the past few years. If you are looking for a job in network security, they will definitely help you a lot.
These questions are often encountered when interviewing Sangfor, Qi Anxin, Tencent or other major companies. If you have good questions or good insights, please share them.
Reference analysis: Sangfor official website, Qi’anxin official website, Freebuf, csdn, etc.
Content features: Clear organization and graphical representation to make it easier to understand.
Summary of content: Including intranet, operating system, protocol, penetration testing, security service, vulnerability, injection, XSS, CSRF, SSRF, file upload, file download, file inclusion, XXE, logical vulnerability, tools, SQLmap, NMAP, BP, MSF…
Due to limited space, only part of the information is displayed. You need to click on the link below to get the
CSDN gift package: "Hacking & Network Security Introduction & Advanced Learning Resource Package" for free sharing
